can i ask
how to encrypt an password in php code?
then how to decrpty it after encrypt?
thanks
19 39920
To do this you need to write your own encrypting algorithm.
The system supplied functions sha_1 and md5 are "un-decryptable".
This all makes sense really because if there were publicly available functions that encrypted and decrypted it would make them fairly useless.
The PHP's OpenSSL interface has everything you may ever want from encryption/decryption/hashing and even an awsome RNG.
See php.net/openssl
Basically... Do md5 on the password for encryption..
But 50% of worlds password are "password", so doing on the frequency analysis one can guess the password.(Though it require some work).
So you better to add some salt(string of random characters 16characters or 8 characters) for password of each user.
So now md5 the password and salt and then validate it against database.
So even if the passwords for various users are same your salt(unique for each user) make the passwords different.(So no same patterns in the database basically).
For validating
Take password from user and for his username fetch the salt.
do md5 on both of them and check against the database. -
<?php
-
-
$len = 16;
-
-
$base='ABCDEFGHKLMNOPQRSTWXYZabcdefghjkmnpqrstwxyz123456789';
-
-
$max=strlen($base)-1;
-
-
$activatecode='';
-
-
mt_srand((double)microtime()*1000000);
-
-
while (strlen($activatecode)<$len+1)
-
-
$activatecode.=$base{mt_rand(0,$max)};
-
-
-
-
echo $activatecode;
-
-
?>
-
This is how salt look like.
Regards
Dheeraj Joshi
MD5 is basically one way.
You can encrypt but can not decrypt..(I mean to say you can not get back the actual text from the encrypted text.)
Regards
Dheeraj Joshi
@dheerajjoshim
That's called "hashing". Encryption is always reversible e.g. encrypted text can be decrypted if you have the right key(s).
Ontopic, I would avoid md5() which is very outdated and easy to crack if I were you. If you want secure passwords, the best way would be to use some very resilient hashing algorithm (RipeMD is a great choice) with 6+ character salt. Encryption is slightly more problematic since the attacker only has to break the encryption key to access the data which means you will have to devise some method to protect the encryption keys (which is often done through hashing a password...). It's not worth all this hassle only to allow users to recover their password IMO.
Unauthorized is right...
MD5 is outdated...
Go for something else.
Regards
Dheeraj Joshi
you can use base64_encode() and base64_decode() for encrypting and later decrypting the string... -
<?php
-
$str = 'This is a top secret...';
-
$enc = base64_encode($str);
-
$dec = base64_decode($enc);
-
-
echo "Encoded String";
-
echo $enc;
-
echo "Decoded String";
-
echo $dec;
-
?>
-
but its only 64 bit and not secure enough...
you may use hashing algorithms like MD5 and SHA1 to make a hash of your password and store it in the db..
later when the user enters the password... you just make the hash of the entered password and compare it with the hashed value from db with a strcmp()
Hope this will help you....
base64_*() are not encryption algorithms; they are encoding algorithms. They convert from one form to another (like converting binary and decimal). By "64 bits" you mean "64 characters" and "not secure enough" should be "not secure at all".
You should take a look at mcrypt: http://uk.php.net/manual/en/function.mcrypt-encrypt.php
I'm not entirely sure, but I think MD5 is a fairly secure algorithm; SHA-1 is securer, I think. I wouldn't judge its strength by its age. Although it may be susceptible to brute force attacks, simple rate limiting on a production site can eliminate this risk.
As for salts, this is probably easier: - $salt = md5(uniqid(mt_rand(), true), true);
-
$hashed_pass = md5 ( $pass . $salt, true);
-
-Brendon.
I cracked md5.
I have the code at home if you don't believe me.
It cracked a 4 letter password in half an hour. In a couple of days I could probably 5 or 6 letters.
I'd go with SHA-1 as a bare minimum with a good salt.
Dan
@dlite922
Why bruteforce when you can just use one of the freely available rainbow tables on the net and "crack" stuff in seconds?
@dlite922
I suspect all 4 letter passwords are on ready-available rainbow tables, and many 5 and 6 letter passwords are probably there too. And that goes for SHA-1, as well.
(Edit: beat to it)
if that my string in database there is already encryted,
and how i retrieve it out?
this is my ori login code without the adding any encypt - <?
-
session_start();
-
-
$username= $_POST['username'];
-
$password= $_POST['password'];
-
-
if($username && $password)
-
{
-
$connect = mysql_connect("localhost","root","") or die ("Couldn't connect!");
-
$select = mysql_select_db("phplogin") or die ("Couldn't find db");
-
-
$query = mysql_query("SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."' ");
-
-
$result= mysql_num_rows($query);
-
if ($result !=0)
-
{
-
while ($row = mysql_fetch_assoc($query))
-
{
-
$dbusername =$row ['username'];
-
$dbpassword = $row ['password'];
-
-
}
-
// check to see if they match
-
if ($username = $dbusername && $password = $dbpassword)
-
{
-
echo"You are in! <a href ='member1.php'> Click </a> here to enter member page.";
-
$_SESSION['username'] = $dbusername ;
-
-
}
-
else "incorrect password";
-
-
-
}
-
else die("User not exist!");
-
-
-
}
-
else
-
die ("Please enter username and password!");
-
?>
And this is my changing password part.
Can some 1 help me? thz..
how i log in with the changing password than i hv change, which aldy encryted.
thz - <?
-
session_start();
-
-
$user = $_SESSION['username'];
-
-
if ($user)
-
{
-
//user is logged in
-
if (@$_POST['submit'])
-
{
-
//check fields
-
$oldpassword = md5($_POST['oldpassword']);
-
$newpassword = md5($_POST['newpassword']);
-
$repeatnewpassword = md5($_POST['repeatnewpassword']);
-
$old = md5($oldpassword);
-
$new =md5($newpassword);
-
$repeatnew=md5($repeatnewpassword);
-
-
//check password against db
-
-
//connect db
-
$connect = mysql_connect("localhost","root","") or die ("Couldn't connect!");
-
$select = mysql_select_db("phplogin") or die ("Couldn't find db");
-
$queryget = mysql_query ("SELECT password FROM users WHERE username='$user'") or die(" Query didn't work");
-
$row = mysql_fetch_assoc($queryget);
-
-
$oldpassworddb =$row ['password'];
-
-
//check password
-
-
if($old = $oldpassworddb)
-
{
-
//check 2 new password
-
echo "$old<br>";
-
echo "$new<br>";
-
echo "$repeatnew<br>";
-
echo "$oldpassword<br>";
-
echo "$newpassword<br>";
-
echo "$repeatnewpassword<br>";
-
if ($new == $repeatnew)
-
{
-
//success
-
//change pswd in db
-
$querychange = mysql_query ("UPDATE users SET password = '$newpassword' WHERE username='$user'");
-
session_destroy();
-
die ("Your password has been changed. <a href = 'index1.php'> Return </a> t main page");
-
-
}
-
else
-
die ("New password don't match!");
-
}
-
else
-
die("Old password doesn't match");
-
}
-
else
-
{
-
echo"
-
<form action='changepassword.php' method='POST'>
-
<p>Old password: <input type='text' name='oldpassword'></p>
-
New password: <input type='text' name='newpassword'><br />
-
<p>Repeat new password: <input type='text' name='repeatnewpassword'></p>
-
<input type ='submit' name='submit' value='Submit'>
-
</form>";
-
-
}
-
}
-
else
-
die ("You must be logged in to change your password!");
-
?>
What i would have done is,
When user sign up for the firs time i will give a unique character string to user(salt) and store it in db... when he gives password. i will do md5 or something else for password and salt and store it in db.
On next login check user name then fetch salt and fetch encrypted password from db.
Now take password from form do md5 or something on password and salt.. so the resultant encrypted string will be same as encrypted password from db
Note: This is an idea, there may be some security issues you need o consider.
Regards
Dheeraj Joshi
And please use code tags..
Regards
Dheeraj Joshi
Your current script is a bit over-complicated and is wrong (you are using = assignment rather than ==, === or, even better, strcmp). And your script is open to SQL injection. Here's something I have used before, adapted: -
session_start();
-
-
$username = isset($_POST['username']) ? $_POST['username'] : NULL;
-
$password = isset($_POST['password']) ? $_POST['password'] : NULL;
-
-
$sql = "SELECT salt, pass_hash FROM users WHERE username = '%s'";
-
$sql = sprintf( $sql, mysql_real_escape_string($username) );
-
-
$result = mysql_query( $sql );
-
-
if (!mysql_num_rows($result)) {
-
/* incorrect username */
-
} else {
-
$row = mysql_fetch_row($result);
-
$pass_hash = pack( "H*", md5($password . $row[0]) );
-
if ( strcmp($pass_hash, $row[1]) === 0 ) {
-
$_SESSION['username'] = $username;
-
header("Location: account.php");
-
exit;
-
} else {
-
/* Incorrect password */
-
}
-
}
-
-
ok thanks,
but there is an error
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource,
can i know how to fixed it.thx
is that the pass_hash, salt as a field in database?
And strcmp is for?
Thz
but why that any user which not in database also can login?
@dreamy
There is probably a mysql error (echo mysql_error() to see), probably due to those fields missing @dreamy
Yes, `pass_hash` and `salt` are BINARY(16) fields in the database.pass_salt is the result of - $pass_salt = md5 ( $pass . $salt, true );
$salt could be, for example: - $salt = md5(uniqid(mt_rand(), true), true);
strcmp is binary-safe string comparison: it returns 0 if they match (see php.net). We need this because values may be mis-represented in a normal string comparison (I think/am sure).
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Benoît |
last post by:
Hi,
I have generated two keys :
"C:>openssl req -nodes -new -x509 -keyout ben.key -out ben.crt -days
3650"
I try to encrypt/decrypt a string like "JOHN" with these asymetrics
keys. With the...
|
by: Aaron |
last post by:
Is the native Encrypt/Decrypt functionality with .NET PGP compatible?
|
by: Hrvoje Voda |
last post by:
Does anyone knows a good example of how to encrypt/decrypt a string?
Hrcko
|
by: Alex Nitulescu |
last post by:
Hi. I am writing an app which stores usernames/passwords and email addresses
in a database table.
The question is how can I encrypt the password provided by the user ?
...
|
by: Jean Christophe Avard |
last post by:
Hi! I am designing an application wich comes with image file. These images
are copyrighted and they have to be accessible only from within the
application. At first, I tought I was going to store...
|
by: Ripendra007 |
last post by:
hi,everyone i m creating a login page and i want to encrypt the password before insert that in to database and decrypt it before verification can enybody tell how to do this ?
|
by: Paul NIcolai Sunga |
last post by:
.i need your help guys,. thanks, i just want to know how to encrypt the password that have been submit to the database.
/* $lik refers to the database linked, i assumed that the database has been...
|
by: bferguson94 |
last post by:
Design a program that allows the user to encrypt or decrypt a file.
This means you will need to ask the user the direction to shift (left or right) and the number of places to shift (should they...
|
by: Rich Howard |
last post by:
I'm working on an application that works as a remote client for integrating with corporate services. It's packaged as a downloadable Windows installer, allowing a user to install it and then...
|
by: ryjfgjl |
last post by:
ExcelToDatabase: batch import excel into database automatically...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: jfyes |
last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
|
by: ArrayDB |
last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
|
by: PapaRatzi |
last post by:
Hello,
I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: Shællîpôpï 09 |
last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
|
by: af34tf |
last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
| |